The five words any developer dreads hearing: “Our site has been hacked.”
No one really wants to admit to having a lot of experience dealing with sites that have been hacked because it begs the question: “How did the site get hacked in the first place?” (We will address that later.) In the meantime, if your WordPress site has been hacked, here are 9 steps you should take.
Step 1: Don’t panic. If we are dealing with your typical hackers, your site should be up and running again by the end of the day. Now it may take you all day to get there, but there is hope.
Step 2: Find help online. WordPress has an in-depth, dedicated article precisely for this scenario. Read it and outline a plan for restoring your site.
Step 3: Locate the source. Search for code with spam links or files that you didn’t create. Run scans like the free ones provided by Sucuri and using plugins like the Anti-Malware and Brute-Force Security by ELI.
At this point, you might be wondering why your site was hacked in the first place. Rest assured that it was likely a crime of convenience and likely not because you were specifically targeted. Sucuri has written a great article that provides complete insight on this subject.
Step 4: Clean it up. Once you’ve located the malicious code, get rid of it! We also recommend cleaning your theme as well as ditching all the core WordPress files and replacing them with a fresh version. (Make sure not to delete your “uploads” folder, or all your images and documents will be gone.)
Step 5: Lock it down. Determining the hacker’s entry point is not easy, and you may never find it. Regardless, it’s time to lock your site down, so they can’t get in any of the doors or windows again. Here are just a few steps to increase the security of your site after you’ve ensured all the malicious files and code have been removed.
- Change your FTP password
- Change your WordPress password
- Install security plugins like Wordfence
Step 6: Restore your reputation. If your site has been hacked, it’s likely been flagged by Google and is either noted as a hacked site in search results or blacklisted altogether. To get back on Google’s good side, you will want to sign up for Google Developer Tools, verify your site, recrawl the site and submit it to be reviewed.
Step 7: Keep it clean. Whew! Your site is finally clean and free of malicious code. Now what? Here are a few things you can do to keep your site safe.
- Continue using security plugins like Wordfence
- Keep WordPress and your plugins up to date
- Avoid using the default “admin” as your username
- Always use strong passwords
- Change the default login page to a unique URL
Step 8: Back it up. Now that you have a clean version of your site, make sure to backup your files and database, so you have it if you ever need it in the future.
Step 9: Pour yourself a drink. Exhale. Your site is clean and secure. Keep an eye on your security scans, but if you’ve taken the correct precautions, hopefully you can avoid any breaches in the future.